How to prevent new installations when I have already installed my client through LAN boot?
Carsten Aulbert
carsten at welcomes-you.com
Thu Feb 9 15:20:08 CET 2012
Hi
Am 2012-02-09 16:11, schrieb Thomas Neumann:
>
> -To skip booting from network card, you can use the command
> fai-chboot(8)
> to enable localboot.
> +It is possible to remotely execute 'fai-chboot ...' on the fai
> server to
> switch the installed client to localboot after the installation has
> completed. Warning: This may open up the fai installation environment
> to
> exploits if the remote login account is not properly secured.
Sorry to chime in here, but if you require this to be added, where
would you stop?
If a sysadmin is not aware that a remote login needs to be secured
he/she is to blame for that.
Then the handbook needs to state also, that you need to use a very good
root password with certain rules, when being at it, you should also make
sure that no packages are installed which have not been reviewed by an
independent certified third party, and finally, you need to ensure -
before using FAI(!) - to have a fully secure network (possibly base
encrypted - who checks the firmware for hidden backdoors?), round the
clock guards on site and of course no-one is ever allowed to touch the
machine to protect against memory being frozen to reveal secrets.
Sure, this last paragraph is way over the top, but I think the FAI
handbook should possibly mention the various possiblities, but it's up
to the actual user to decide which may or may not be suited for the
local site.
Cheers
Carsten
More information about the linux-fai
mailing list